It’s what I like to call “Worry Wednesday”, the day after Patch Tuesday, when system administrators around the world furrow their brows in concern that malicious hackers will dissect the latest security patches issued by Microsoft and develop attacks which exploit the flaws.
It’s obviously good news whenever the likes of Microsoft and Adobe release fixes for security holes, and make them available for home users and businesses to install.
But it’s a double-edged sword. Obviously it’s good to have an official software patch to fix a flaw, but the patches themselves can provide clues to reverse-engineering hackers as to how they could exploit the vulnerability.
So, most of the time, it’s a good idea to install the patches at the earliest oppportunity. Indeed, if you’re a home user it can make the best sense to automatically install security patches rather than force yourself to go through the rigmarole of remembering to download and roll out the updates yourself whenever they become available.
If you’re a big business, it’s not unusual to test that the patches don’t cause any unintended conflicts before you roll it out across hundreds of thousands of computers on your network.
Yesterday, it was the second Tuesday of the month. In Microsoft language that means it was “Patch Tuesday”, their regular time for issuing security updates, and sure enough they released security fixes for vulnerabilities in Windows, Internet Explorer, Microsoft Exchange, Office, Lync and Microsoft Developer Tools.
Amongst the flaws they fixed was a zero-day flaw that has allowed hackers to launch targeted attacks involving boobytrapped Word documents, and broader financially-motivated campaigns using boobytrapped TIFF image files.
Microsoft had said it had seen malicious Word documents (with dangerous TIFF files embedded inside) sent to targeted companies based in the Middle East and South Asia.
But now there’s a proper fix, so you should install it before you end up in hackers’ gunsights.
Unfortunately, there *wasn’t* a fix released for the critical zero-day XP kernel attack that has been putting users of older versions of Windows at risk since the end of November.
But it wasn’t just Microsoft that released security patches yesterday.
Adobe, a company that has often been on the receiving-end of hacker attacks, issued security fixes for its Adobe AIR product and Flash and Shockwave players.
The Flash issue seems the most serious, as Adobe says it is aware of reports that an exploit designed to trick users into opening Microsoft Word documents containing malicious Flash content exists for one of the vulnerabilities.
Make your resolution for 2014 to be to get in the habit of taking security updates seriously. If companies like Microsoft and Adobe are prepared to go to the effort to investigate, fix and then publicise security holes in their software - you really should be listening to them.